It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda WAF-as-a-Service

Shared IP and Dedicated IP Addressing

  • Last updated on

Every application deployed in WAF-as-a-Service is assigned an IP address internally. By default, the IP address is shared between multiple applications in an account. The other deployment option is to use a dedicated IP address for each application. To assign a dedicated IP for your application, see How to Change Shared IP to Dedicated IP.

Shared IP

Shared_IP.png

The shared IP address assignment will result in the following:

  • Traffic with valid/correct domain names (defined in the Endpoints page) will be processed and secured. Access to applications that do not have the DNS name associated will not be processed and the traffic will be dropped.

    SNI is required for Shared IP. If you have an old client that does not support SNI, then the application should be using the dedicated IP for it to work. Dedicated IP is available only in the Premium license plan.

  • You will not be able to define non-standard protocol and port combinations; for example:
    • On ports 80 or 8080, which are typically associated with HTTP, you will not be able to define HTTPS endpoints.
    • On ports 443 or 4443, which are typically associated with HTTPS, you will not be able to define HTTP endpoints.
  • The IP addresses allocated in the Barracuda WAF-as-a-Service infrastructure can get changed without notice during regular maintenance or due to failovers. These changes will not cause any traffic disruption.

Applications should be configured with the standard protocol and port combination. The Barracuda WAF-as-a-Service provides the list of standard ports that can be used when configuring the application:

Protocol
HTTP/RedirectHTTPS

21,22,40,80,81,82,87,88,89,
90,100,189,389,580,591,2080,
2101,2251,3000,4320,4321,
5721,7004,7005,7006,7007,
7008,7012,7737,7757,7968,
8000,8008,8012,8032,8080,
8081,8082,8086,8087,8088,
8089,8530,25500,25511,49200,
50000,50200,51514,51515,62000

83,440,443,444,445,446,1415,3011,
3391,3443,3780,4000,4001,4081,4119,
4181,4433,4437,4443,4444,4471,4552,
5000,5001,5200,5443,5533,5534,5671,
6100,7002,7003,7071,7443,7767,8007,
8011,8013,8016,8022,8083,8085,8090,
8101,8103,8107,8111,8124,8280,8443,
8444,8447,8448,8531,8543,9000,9001,
9065,9066,9090,9102,9260,9443,9510,
9520,9980,10081,10443,12347,12443,14430,
14443,15671,18443,28443,29443,44300,
48080,50301,50501,52443,53214,58370,
59443,61521,62541,64445

Ensure that no two endpoints of the same protocol can have same domains. For example, the HTTP endpoint can be "site.com" and HTTPS can be "site.com", but two HTTPS endpoints cannot host "site.com".

Precaution for Unintended Traffic Disruption with Shared IP

  • Ensure all application Endpoints include all domain names that you are using to process traffic to your application.
  • Ensure you do not have more than one application with the same domain name. If multiple applications in your account have the same domain name, traffic for that domain will be sent to the configured CNAME.
  • If you have endpoints using non-standard ports, such as port 80 for HTTPS instead of HTTP, adjust them to use standard ports.
  • Ensure all your DNS records are updated as recommended on your Endpoints page. Specifically, do not use A records instead of CNAME records, as those will not be automatically updated to use the new IPs and will stop working starting in 30 days.

Dedicated IP 

Dedicated_IP.png

A dedicated IP address is an IP address assigned only to a single application and is not shared with other applications or used by other applications. You can assign a dedicated IP to an application if the:

  • Application has a wildcard domain.
  • Transparent TCP Proxy feature is enabled.
  • Applications are deployed/configured with custom ports.
  • If the application is created with only one domain, and sub-domains are using DNS mapping to CNAME. Traffic to subdomains can only be accessible if the application is assigned a dedicated IP address.

If your account is licensed with the Application Protection Premium plan or your legacy license is configured with Isolated Mode, you can edit the address to change it to Dedicated IP.

How to Change Shared IP to Dedicated IP

  1. On the WAF-as-a-Service web interface, go to the APPLICATIONS tab and select the application for which you want to assign the dedicated IP.
  2. Select ENDPOINTS in the left panel. 
  3. On the Endpoints page, click Edit in the IP Addressing section.

    Endpoints.png
  4. In the Edit IP Addressing window, enable Allocate a dedicated IP Address to this application and click Save.

    Changing_to_Dedicated_IP.png
  5. After the update is successful, a dedicated IP is assigned to the application.